The Downside of the FCC’s New Internet Privacy Rules

There may soon be a new cop on the privacy beat — the Federal Communications Commission. Last month, the FCC issued a 150-page document proposing sweeping new rules and regulations for broadband Internet Service Providers (ISPs). But in my analysis, this is not good news for those who genuinely care about promoting consumer privacy.

To understand why the FCC’s involvement would create more problems than it would solve, it helps to understand a massive shift in web security over the last few years: the overwhelmingly successful campaign to encrypt data flowing to and from consumers over the Internet.

Encrypting data traffic ensures that information you send and receive can’t be decoded by anyone — including criminals, government snoops, and even the ISPs who provide your access to the internet. The latter group includes home and mobile broadband providers, and anyone — your cable provider or a coffee shop — who offers a Wi-Fi connection. Encryption means that only the sites you visit can see the contents of your interactions with them, which is how e-commerce companies, apps and other can provide customized suggestions, responses, directions, and advertisements.

According to Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, disclosures of government hacking by former security contractor Edward Snowden greatly accelerated the push to encrypt everything. Over half of all web traffic is now secured, as invisible to ISPs as it is to the NSA. By the end of this year, that number will climb to 70%. Most email is already encrypted. Skype is encrypted, as are your interactions with Netflix and, increasingly, the videos you watch. In the next five to 10 years, encryption will become even more ubiquitous.

For mobile devices and the apps that run on them, the trend is increasingly to provide users with end-to-end encryption, meaning even the provider can’t reveal your data, with or without a court order. The wildly popular messaging service WhatsApp, which is owned by Facebook, already provides such protection, the source of extreme disapproval from governments including Brazil, which has twice shut off the service in recent months over concerns about its use by criminal enterprises.

As a side-effect of the encryption campaign, ISPs are largely blind, for better and for worse, to consumer information of any kind, let alone what the FCC calls the “very sensitive and very personal” information that content and other on-line service providers have routinely used, so far to tremendous effect and minimal malevolence.

If the FCC’s new rules are adopted, broadband providers will be preemptively barred from using contextual information to tailor your internet experience — including the personalized advertising and other customized features that have so far driven the internet’s largely free content and services.

But why would the FCC place such severe limits only on internet access companies, when the rest of the internet more-or-less runs on the exchange of user information?

The agency is proceeding under a false premise. Your broadband provider, the FCC claims, controls “the most important and extensive conduits of consumer information,” with the means to use that information not just for commercial purposes but for outright evil. Left unchecked, the Commission worries that ISPs might one day decide to “threaten a person’s financial security, reveal embarrassing or even harmful details of medical history, or disclose to prying eyes the intimate details of interests, physical presence, or fears.”

Histrionics aside, the reality is that ISPs don’t control important or extensive conduits of consumer information. Thanks to the encryption campaign, they can’t even see most of it. While leading internet companies including Google, Facebook, and Netflix have continued to collect and harvest more personal information for ever-more innovative commercial uses, broadband providers have done little customization, largely because they don’t have access to transactional data, personal or otherwise.

So what’s really behind the FCC’s sudden interest in privacy?

Until recently, regulation of the collection and use of all personal information had long been the exclusive domain of the Federal Trade Commission, which polices advertising and anti-competitive behavior. For years, the FTC has taken frequent action, for example, when internet companies fail to live up to their own privacy policies or when they engage in objectively deceptive practices.

As FTC Commissioner Maureen Ohlhausen recently noted, the agency has already brought “more than 150 privacy and data security enforcement actions, including actions against ISPs and against some of the biggest companies in the internet ecosystem,” comprising giants in search, advertising, content and e-commerce.

At least they used to, until last year, when as an unfortunate side-effect of the FCC’s now-challenged decision to regulate broadband providers as public utilities, the FTC’s legal authority over ISPs was abruptly cut off.

The FCC is now rushing to fill a void created by its own decision. But if the Commission goes forward with its privacy proceeding, broadband providers will be subject to one set of rules while every other internet company will answer to a different regulator and a very different standard of conduct.

The FTC’s flexible and largely successful market-driven approach will continue to apply to companies who actually use personal information — Google, Amazon, Facebook, et. al.. ISPs will instead be subject to the FCC’s more formal micromanagement; what former FCC Commissioner Robert McDowell refers to as the “mother may I” approach to regulation.

Broadband providers, ironically, will be the only enterprises required to have users consent or “opt-in” to most uses of personal information. The agency has proposed excruciatingly specific procedures for verifying that consent, along with detailed disclosure of how aggregated data can be processed–none of which apply to internet companies who actually use personal data today. Some unspecified applications may be banned outright, whether consumers want them or not.

While the agency downplays it, the difference between opt-in (ISPs) and opt-out (everyone else) is severe. Requiring consumers to affirmatively agree to every potential use of information — for example, to personalize ads or consolidate information for “big data” analytics — dramatically increases transaction costs for everyone, with little or no benefit. That’s a source of inefficiency very few consumers will find at all helpful; more likely, quite the opposite.

Which is perhaps why the rest of the internet ecosystem has strongly resisted opt-in rules all along, and rightly so. In their own ways, multi-billion dollar businesses as different as Facebook, Amazon, Snapchat, Pandora, Priceline, and Twitter depend on easy access to the personally-identifiable information of their users.

Imagine if Google couldn’t include ads in search results or alongside Gmail without explicit requests to do so from consumers. Few users would bother to opt-in even if they didn’t care, and the company would be seriously hobbled. Trillions of dollars in value would disappear.

The FCC’s laser focus on ISPs, it turns out, has little to do with the agency’s losing argument that broadband providers have “unique” access to “comprehensive” consumer information. Nor is it because, as the FCC also claims, consumers can’t change ISPs as easily as they can “instantaneously (and without penalty) switch search engines (including to ones that provide extra privacy protections), surf among competing websites, and select among diverse applications.” For one thing, consumers using multiple mobile devices and Wi-Fi connections switch networks all the time, further limiting the data collection potential of ISPs.

But more to the point, there are equally if not higher switching costs involved with changing email, search, or social networks providers. Anyone who has tried to do this knows how tricky it can be.

The reality is that nearly all consumers value the exchange of information for services that has driven the internet revolution for two decades now. For those who don’t, opt-out opportunities, including ad blocking software, are readily available.

So the FCC’s new rules won’t help consumers so much as it will keep ISPs out of internet advertising and other growing businesses. Which is probably why companies subject to the FTC’s more market-driven regime are encouraging the FCC to place stricter limits only on ISPs.

The FCC plan, in other words, may just be plain old-fashioned rent-seeking by web businesses who make the bulk of their income today from advertising — manipulating the law to win unearned competitive advantage. If ISPs are hobbled in their ability to make the same kinds of uses of information that everyone else has always enjoyed that’s one fewer new competitor to worry about. Advocating regulators to punish competitors invariably backfires, eventually.

But here the gambit may have more serious unintended consequences, including putting all consumer privacy at real risk. How? Go back to where we started: the accelerated spread of encryption in response to perceived government spying.

As the on-going fight between Apple and the FBI over access to smartphone data most recently reminds us, both consumers and businesses continue to have concrete reasons to be cautious about how easily governments can see your personal information, whether for law enforcement or any other reason.

Yet to enforce consumer complaints that ISPs are violating the FCC’s proposed privacy rules, the agency will need expansive access to data traffic, not only of the complaining consumer but of other consumers. Providing technical back-doors for governments, however, is precisely the outcome Apple, WhatsApp, and other participants in the internet ecosystem are spending so much political capital to avoid. If history is any guide, it’s clear that once government agencies gain access to personal information, the likelihood of that data leaking elsewhere — the NSA, but also the IRS, the INS, and other regulators — is nearly 100%.

So why would rational consumers who value both their privacy and the effective customization of their online life want another regulatory “cop on the beat”— especially at a time when concerns over government information gathering are reshaping the technical architecture of the Web and mobile devices specifically to limit their access? It’s an issue that both consumers and businesses should be paying closer attention to.